Loadbalancing HTTPS with stickyness

Hi all,
We 'd like to do HTTPS loadbalancing with stickyness ( cookie stickyness).
Is it possible ? how to configure It.
I've tryed to configure as following but it seems that the client does not receive the cookie.
sticky http-cookie INAMI-OWA-PRD INAMI-OWA-STICKY
  cookie insert browser-expire
  timeout 60
  replicate sticky
  serverfarm ISA-PRD-EXCHANGE-OWA-SF
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice
class-map match-any ISA-VIP-PRD-EXCHANGE-OWA
  2 match virtual-address xxx.xxx.xxx.xxx tcp eq https
policy-map type loadbalance first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm INAMI-OWA-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117
Could someone help us on implementing the sticky on https traffic?
Thanks a lot.
Frédéric

Hello Frédéric,
If you are load-balaning SSL, then you can not perform sticky via a Cookie (insert / learning). The reason for this is that the SSL data is encrypted and the ACE will not be able to insert a Cookie or learn a Cookie with encrypted data. If you are performing SSL termination or End-to-End SSL (termination and initiation) then you would be able to perform sticky via Cookie (insert / learning).  When load-balancing SSL, your sticky options are either sticky via SSL Session ID or via SRC IP.
The one major issue with SSL Session ID sticky is that some older I.E. browsers may re-negotiate SSL Session ID every two minutes which may cause the SSL user to get load-balanced to a different Rserver.  This is also explained in via the following knowledge base article http://support.microsoft.com/kb/265369
Here are a couple of examples covering both SSL Session id sticky as well as SRC IP sticky:
SSL Session ID Example:
parameter-map type generic SSLID_PARAMMAP
  set max-parse-length 70
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice
sticky layer4-payload SSL-STICKY
  timeout 30
  serverfarm ISA-PRD-EXCHANGE-OWA-SF
  response sticky
  layer4-payload offset 43 length 32 begin-pattern "\x20"
policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm SSL-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
  class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    appl-parameter generic advanced-options SSLID-PARAMMAP
    nat dynamic 117 vlan 117
SRC IP Example::
serverfarm host ISA-PRD-EXCHANGE-OWA-SF
  description Serverfarm used for Exchange OWA (portal.inami.be) in production
  probe ICMP-PROBE-ALL
  probe ISA-PRD-HTTPS-EXCHANGE-OWA-PROBE
  rserver ISA-DMZ-PRD-1
    inservice
  rserver ISA-DMZ-PRD-2
    inservice
  rserver ISA-DMZ-PRD-3
    inservice
sticky ip-netmask 255.255.255.255 address source SRCIP-STICKY
  timeout 30
  serverfarm ISA-PRD-EXCHANGE-OWA-SF
policy-map type generic first-match SLB-PRD-EXCHANGE-OWA
  class class-default
    sticky-serverfarm SRCIP-STICKY
policy-map multi-match ISA-PRD-LOADBALANCING
  class ISA-VIP-PRD-EXCHANGE-OWA
    loadbalance vip inservice
    loadbalance policy SLB-PRD-EXCHANGE-OWA
    loadbalance vip icmp-reply
    nat dynamic 117 vlan 117
I hope this information helps.
Thank you,
Antonios

Similar Messages

  • HTTPS with load balancing

    Hi guys,
    We have a portal system with instance 08, so we typically connect to the portal using port 50800 for HTTP, and 50801 for HTTPS.
    We have just created a second server node for this portal (in the config tool).
    When we connect to 50800, does this automatically load balance the user to the better server? From some reading on these forums, it seemed to indicate that load balancing will only occur if I connect using port 8109. (where 09 is the instance number for the SCS of our portal)
    When connecting to port 8109, we are redirected to port 50800, as I'd expect.
    Question 1 - do we need to use 8109 for load balancing, or can we still use 50800?
    Question 2 - If we need to use 8109, which is a HTTP port, how can we achieve load balancing with HTTPS. Is there a different port we need to use to have HTTPS with load balancing?
    Question 3 - Is the creation of a second server node the best way to accomodate additional users and load on the portal system, or is there a better way to do things?
    Thanks,
    Michael.

    Better late than never.
    The load balancing you describe through the message server has its limitation. It redirects you to one of the dialog server hosts which means that any bookmarks will always point directly to a dialog server which may be down at that moment.
    Access directly to a dialog server on port 50800 will sort of load balanc on the java server instances that are on that server but not on other servers.
    The general recommendation is to setup an external loadbalancer and SAP Web dispatcher is a good match if the load is not very high. SAP webdispatcher will then bind up the cluster address and act as a proxy towards the dialog servers of the portal. The user will therefore only see one address. This will also work for HTTPS.
    Regards
    Dagfinn

  • How to use HTTPS with sender SOAP Adapter

    Hi,
    I am implementing a synchronous SOAP- proxy scenario and on the sender communication channel I have to use the Http Security Level as "HTTPS with client Authentication".
    Where from I get the certificates to be used in sender Agreement.
    Please give me a step by step approach to achieve this.
    Regards,
    Nitin

    Nitin,
    Kindly go through the below links ...
    http://help.sap.com/saphelp_nw04/helpdata/en/1f/7e2441509fa831e10000000a1550b0/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/frameset.htm
    Also, make a search on the SDN as this question has been answered many a times on the forum.
    Regards,
    Neetesh

  • Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

    Hello All,
    We are currently building up a HTTPS message exchange with an external client.
    Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
    The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
    Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
    Now we have to configure the addtional Client Authentication.
    At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
    But what are the next steps to get this scenario successfully in place?
    Many thanks in advance!
    Jochen

    Hi Colleagues,
    following Steps still have to be done:
    - Mapping public key to technical user at Java Stack
      As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
    - Be sure CA root certivicate at Database under STRUSTSSO2
    - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
    - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
    Many thanks to all for support!
    Regards,
    Jochen

  • HTTPS with Client Authentication not available in EHP1?

    Hi Guys,
    I am not seeing this option in PI 7.1 EHP1.
    At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
    any help would be appreciated
    Thanks,
    Srini

    Hi Srinivas,
    I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
    http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
    But you have an option sender agreeement for security. Please see this help:
    http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
    Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
    http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
    Regards,
    ---Satish

  • Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.

    Hi friends,
    Our scenario is as follows:
    We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
    We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
    1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
    2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
    3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
    4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
    When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
    Please let us know if we have missed out some step.
    What does error message indicate,
    Regards,
    Rehan

    Hi Rehan,
    I see that the PROCTIMEOUT was already at a very high value.
    Does this occur for messages of a particularly large size?  If yes, you could increase the parameter
       icm/HTTP/max_request_size_KB = 2097152
    This would need to be done in the sender/receiver system as well as XI.
    Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
    check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
    Kind regards,
    Sarah

  • HTTPS with Client Authentication in SOAP sender Adapter

    Hi All,
    In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
    But when I tried with “HTTPS with Client Authentication” option its giving error
    “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
    Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
    Regards

    Rohan,
    With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
    You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
    So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
    Regards
    Ravi Raman

  • HTTPS with null cipher

    Hi,
    I have two OSB's communicating over SSL.
    How do I configure Weblogic to use a particular cipher during communication.
    I want the communication to use TLS_RSA_WITH_NULL_SHA, or any null cipher, so that
    the content can be scanned as it passed through a firewall.

    Hi Rana da,
    If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
    Have a look at below link
    Sender SOAP Adapter: HTTPS with Client Authentication

  • Https with SCEP?

    Has anyone been able to get https to work with SCEP?
    Right now I'm just trying to authenticate a trustpoint and it does work if I use http as my enrollment URL but as soon as I change it https I get the following: Unable to locate cert record by issuername in my debug.
    The router is communicating with the server (over https) because I can see it reading the subject of the certificates in the chain but it keeps erroring out, I get: Cert record not found, returning E_NOT_FOUND for each certificate in the chain until ultimately it dies and gives the Unable to locate cert record by issuername.
    Thanks!!

    Hi Rana da,
    If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
    Have a look at below link
    Sender SOAP Adapter: HTTPS with Client Authentication

  • Https with client authentication handshake_failure

    Hi everyone. I hope anyone could help me. I have a client class 1 certificate from verisign (digital id) which is needed for https service request. I have installed it on Internet Explorer and it works fine:
    1) Internet Explorer ask me to trust in https server certificate.
    2) I accept the server certificate
    3) Internet Explorer ask me for select which client certificate send to server.
    4) I select my verisign client certificate
    5) Https server returns an xml with the response of the service.
    Now I have to implement this behaviour in Java. I have exported the client certificate to a .pfx file from Internet Explorer. Now I use this file directly as my key store. Then I used Internet Explorer to export server certificate as a .cer file and imported it into cacerts. The fact is that no matters what kind of transformation on the client certificate nor what validations i disable: I always get "Received fatal alert: handshake_failure" exception when trying to do in.readLine() (where in comes from BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));).
    I couldn't guess that connecting to a https server with client certificate was so difficult. I have read lots of examples and documentation, that always drive me to implement the same code.
    Sincerely, I don't use to ask in forums when having the first problems, but this time I'm really frustrated.
    Thanks in advance for any answer.

    Hi Rana da,
    If you want to use Https, make sure Https service must be activated in the system. Check Tcode: SMICM for HTTPS status.
    Have a look at below link
    Sender SOAP Adapter: HTTPS with Client Authentication

  • HTTPS With Client Authentication

    Hi,
    I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
    java.security.AccessControlException: client certificate required
    In the the transaction scim the following can be seen:
    [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
    [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
    [Thr 5061]     out: sssl_hdl = 1117534b0
    [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
    [Thr 5061]      in: sssl_hdl = 1117534b0
    [Thr 5061]      in: cred_hdl = 116cfc110
    [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
    [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
    [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
    [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
    [Thr 5061]          status = "resumed SSL session, NO client cert"
    The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
    Sender Communication Channel, 
    Transport Protocol: HTTP,
    Message Protocol: Soap 1.1,
    Adapter Engine: Central Adepter Engine,
    HTTPS with Client Authentication,
    Keep Headers
    Any ideas?
    Kind regards,
    John

    Hi Peter,
    If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
    It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
    All the best,
    John

  • HTTPS with client auth

    Hello , I am working on a scenario to implement Client Authentication with HTTPS , i got to a blog where its mentioed of steps of implementing HTTPS with Client auth on XI system , in order to test it i would also require a webservice client that works for this purpose. i got to SAP Soap client , but whatz the way to generate the certificate request so that i can send it to CA and get it signed any ideas pl?

    Hi together,
    i have the same problem? is anybody out there who could give us some hints?
    many thanks
    alex schramm

  • HTTPS with ALE

    Can we use HTTPS with ALE to establish a connection between the HR and ERP system?  There are seperate instances for FI and HCM and we require an ALE interface between them.  RFC with SNC is not an option so am wondering if there is an ALE with HTTPS route we can take?  Any info will be greatly appreciated.

    Hi Fahad,
    As far i know there is no way to using https for ALE without PI. because ALE is base on RFC technology not http / https.
    if my knowledge correct then you might need to use other middleware like SAP PI, webMethods, Tipco etc or if not you might need to do some customize scenario using webservices. but both of your ERP and HCM must be at least ECC 6.
    for IDOC for example you can set the port to generate xml file. and create program to pickup and send it over soap https to HCM system.
    Please correct me if i am wrong.
    Regards
    Fernand.

  • Can not seem to connect to an HTTPS with a port number

    Hello,
    I am building an application that needs to connect to an https with a port number...
    If the url is 'https://xxx.yyy.zzz' and the port is 5000 what would I use? I have found examples with out a port number but not with a port number...

    Ah... Like GET and SEND?
    That is definitely not correct in this situation.
    I think what is throwing me is that they specified
    the the host as 'https://xxx.yyy.zzz' where really
    they want an SSL connection... I think anyways...
    Generally there are two situations.
    1. There are two possible connections/protocols. One is SSL only and the other is https.
    2. They got carried away with the documentation. They added a section describing how SSL works. The protocol within SSL is still http. That is the definition of https though.

  • How to access Flash Apps over https with a self signed certificate?

    I have a Flex app that needs to access data from a SOAP web service over https with a self signed certificate. The app needs to ignore the https warnings, just as a browser would warn & allow the user to proceed. Buying a valid signed certificate is not an option for us.
    It works fine over http.
    How can I achieve this?
    I read that URLRequest has a property: authenticate, that I can set to false. However, this property is available only for Adobe AIR applications from what I can see. This doesn't seem available for Flex apps.
    I have tried this in both Flex 3 & the latest Flash Builder 4. Have the same issue in both cases.
    Help appreciated.
    Thanks

    You'd really need to ask in the Flex or Flash Builder forums as this is a front end code modification and Flash Player can't do any of that.

Maybe you are looking for

  • Reader 9.3 windows 7 crashes when it opens

    This may have been solved before, but here are the steps i took, and nothing worked: checked for any malware (none found); checked for updated drivers (all drivers up to date); ran a RAM check; fixed registry errors did a full system scan under AVG u

  • Sample B2B

    Hi Everyone, I am new to Oracle B2B , can anyone please help me out with a basic inbound & outbound X12 transaction. It would be great if someone could share some samples or some document on steps to be followed. Looking forward to your support. Than

  • N1kv installation questions

    Hi, I was wondering how I could set some parameters like Domain ID, packet & control vlans on VEMs. I must have missed it in Cisco documents, any help appeciated. Thanks

  • Partial downloads missing

    Hi, My unfinished iTunes downloads keep disappearing, this is very annoying, why  can't Apple couldn't get a simple download resume working is beyond me. I'm trying to download a big app (offline map, more than 1GB), the download starts fine, and if

  • Teather shooting w/Canon5dMrk3 into LR4.1 using snow  leapard or lion

    Why does it not work ?....still..??? I am using the latest Canon Firmware 1.1.3